Solved

ISA 2006 Client\User Certificates Issue...

Posted on 2006-11-17
11
798 Views
Last Modified: 2013-11-16
I was wondering if the statement below is true for ISA 2006, as it was in ISA 2000 and I believe ISA 2004?

 

If you’ve tried to allow users to authenticate with the Incoming Web Requests listener and the internal network Web server, you’ve realized it doesn’t work. There is only one way to get authentication to work on both the Incoming Web Requests listener and the Web server on the internal network. The only scenario that allows authentication at both the ISA Server and the internal network Web server is when the Incoming Web Requests listener uses client certificate authentication and the internal network Web server uses Digest, Integrated or Basic authentication.

 

Is this the only scenario that requires the use of client\user certificate authentication for any version of ISA?

 

 

   It looks like in ISA 2006 as long as we have SSL bridging on we can secure communications via SSL from the ISA server to the web server too, as well as or in addition to configuring a secure SSL connection from the web-client to the ISA server itself via the listener. Seems like in ISA 2006 you don’t need dual authentication, both at the ISA and at the web server to have full end to end SSL.

 

Is that now true in ISA 2006?

 

Or has this always been possible in all versions of ISA?

 

More to the point does it hold on all versions that for dual authentication you must use client certificates?

 

Meaning is it the only time client\user certs are required?

 

But if you don’t want\need dual authentication, meaning just authenticating at the ISA, can still have end to end SSL on ISA 2006 without the use of client certificates?

 

{is it also true for ISA 2004 and 2000?}

 

Also in the scenario where no client\user certificates are involved does ISA never then need to communicate with a CA to verify certificates via a CRL to maintain\ employ end to end SSL?

 

 Because at this point our certs on ISA show as invalid or expired, as we are not allowing any web traffic from ISA out.

 

I know there is a CRL http rule out, but not sure if we need to allow that with web clients just authenticating at ISA and not the web server too? i.e. dual auths

 

In the scenario where authentication takes place only at the ISA listener does it matter that we have not allowed access to the web to access CRL data?

 

 As I know that a cert is considered invalid if not verified against a CRL, {why our ISA certs have a red X, i.e. show as invalid\expired}but it none the less does match the certs on the web server, which themselves unlike the ISA server do not have a red x on the cert, as it can verify the cert because it has web access.

 

Do we need to allow a one time {or continuous} access to a\the CRL site to get the red x off the ISA certs if were only authenticating web clients once via the ISA listener for end to end SSL?

 

Paul…

 

0
Comment
Question by:inuic
  • 5
  • 4
11 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17967801
First, please do not leave all that white space between your comments, makes it a nightmare to read through.

In 2004 and 2006 you had the option of either tunneling SSL or bridging it. many people prefer tunnelling whereby you only have the cert on the web server and ISA tunnels the traffic directly through to the web server. Upside, cert only on the web server, downside is that ISA cannot filter the traffic as it cannot decrypt (see inside) the ssl tunnel and so cannot see what the traffic is to accept/reject it.  ie its just a conduit.

the bridging option comes in a number of flavours.

SSL outside to ISA (needs cert on ISA) --- bridge SSl from ISA to web server (needs another cert on web server)
SSL outside to ISA (needs cert on ISA) --- bridge http from ISA to web server (no cert on web server)
http outside to ISA (no cert on ISA)      --- bridge http from ISA to web server )no cert on ISA)
http outside to ISA (no cert on ISA)      --- bridge SSL from ISA to Web server (needs cert on web server)

View the certificate, red x normally means it has failed one of the criteria. Fully Qualified Domain Name (FQDN), out of date, non-authorised certificater etc. Have you imported the certs into the certificate root on ISA also?

Keith

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17967818
Also, who is your certificating body?

you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list.
0
 

Author Comment

by:inuic
ID: 17968014
My main question is about Client\User Certificates, and if they are needed\required for full end to end SSL? It looks like you can have end to end SSL and just use bridging and not employing the extra step of user certificates. Is this just tunneling? In order to have statefull inspection of whats in the SSL tunnel do you need to use user\client certificates? If I dont require authentication at both the ISA server and the Web server and just at ISA and have SSL from the client to ISA, and bridge SSL to the Web server from ISA, is that just SSL tunneling? i.e. not statefull inspection of the data in the SSL tunnel?

Which scenarios allow statefull inspections of whats in the SSL tunnel, when using end to end SSL? Does it require client\user certificates? i.e. dual authentication at both the ISA and web server?

If I just requre authentication at ISA and still brigde SSL to the web server is that just SSL Tunneling?

Im not sure my question\s were really answered by the previous comments. But thanks for the input.

Paul...
P.S. I left white space for room to answer my individual questions, as there were many...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968079
OK, one at a time here..... :)

To perform SPI through ISA you need to bridge, period. Tunnelling means that ISA cannot see what is in the tunnel as its encrypted and acts simply as a carrier for the traffic, not a monitor. ie the client makes the ssl tunnel from their browser directly to the end web server. SSL tunnelling on ISA means it acts like a railway tunnel, the traffic simply passes through as in a conduit.

Bridging means that ISA terminates the connection from the client regardless of whether it is ssl or http. It then opens its own connection between itself and the web server. In this condition it can check the traffic as it has decoded what has come in (and identified it) before repackaging it again for transit to the web server.

Most organistaions use SSL between the ISA and the outside client and then use http (bridge) to the internal web server. Saves on certificates and is the simplest method with the exception of tunneling straight through.

When you click on your certificate and choose the view option, what does it say has failed?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:inuic
ID: 17968089
P.S.

   I have imported the certs into the certificate root on ISA. But we allow no web traffic out, hence the CRL site can not be contacted to verify the certs on ISA. Is that why they have a red x? The same certs on the web server have no red x. I imported my certs to ISA from the web server. To verify the certs on ISA {remove red x} do I need to allow ISA access to the CRL site? We are using verisign as our CA.

Paul...
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17968109
Sorry, have I been at a tangent here? Yes, ISA will need to contact the site; by default ISA can not talk to much. If you do not want ISA to have general web access then use the option I mentioned above to give limited access.

<<< you can add them to the list through the ISA system Policyhighlight the ISA firewall policy.
At the top of the ISA screen, a set of icons appear. hit the last one on the right and it toggles on/off the system policy rules. Towards the bottom of these are the allowed CR sites etc. edit this and add as necessary. Apply the policy then hit the toggle icon again to get rid of the them from the list. >>>
0
 

Author Comment

by:inuic
ID: 17968121
How do you configure just SSL tunneling, that is end to end SSL with no bridging then? I know how to do bridging it seems, but still am confused as to when a user\client certificate comes into play? This is more complex then I had hoped...

Paul
0
 

Author Comment

by:inuic
ID: 17968159
We were able to access the internal web server over SSL even though the certs in ISA have the red x on them... Is that one way its allowed to work. Is it that if I want to use client\user certificates in conjunction to what I am already doing I need to get rid of the red x's on my certs in ISA?

Paul
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 125 total points
ID: 17968221
Maybe it is simpler if I give you some links to check through. I am doing a couple of ISA2000 questions at the moment so cannot get to the screens i need to give you the exact option.

here is the difference between tunnelling and bridging
http://www.isaserver.org/tutorials/Understanding_SSL_bridging_and_tunneling_within_ISA.html

These are the links I post generally to people to explain the process, it may give you the answer you are looking for.
http://support.microsoft.com/default.aspx?kbid=837834&product=isas2004
http://www.microsoft.com/technet/prodtechnol/isa/2004/help/FW_SecureWebPub.mspx?mfr=true
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/publishingwebservers.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_proxy_traffic.mspx
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/tscerts.mspx

I know you are on 2006 but the process is the same

0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now